Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-87754

Heap-use-after-free in QRhiGles2::enqueueBindFramebuffer

    XMLWordPrintable

Details

    • Bug
    • Resolution: Incomplete
    • P1: Critical
    • None
    • 6.0
    • Qt RHI, Quick: SceneGraph
    • None

    Description

      To reproduce, check out https://codereview.qt-project.org/c/qt/qtquickcontrols/+/318391/ and run the extras auto test with -input /home/mitch/dev/qt-dev/qtquickcontrols/tests/auto/extras/data/tst_piemenu.qml.

      12:20:14: Starting /home/mitch/dev/qt-dev-debug/qtquickcontrols/tests/auto/extras/tst_extras -input /home/mitch/dev/qt-dev/qtquickcontrols/tests/auto/extras/data/tst_piemenu.qml...
qt.qml.typeregistration: Invalid QML element name "MenuItemType"; value type names should begin with a lowercase letter
qt.qml.typeregistration: Invalid QML element name "SelectionMode"; value type names should begin with a lowercase letter
qt.qml.typeregistration: Invalid QML element name "ActivationMode"; value type names should begin with a lowercase letter
qt.qml.typeregistration: Invalid QML element name "TriggerMode"; value type names should begin with a lowercase letter
********* Start testing of extras *********
Config: Using QtTest library 6.0.0, Qt 6.0.0 (x86_64-little_endian-lp64 shared (dynamic) debug build; by GCC 7.5.0), ubuntu 18.04
PASS   : extras::Tests_PieMenu::initTestCase()
PASS   : extras::Tests_PieMenu::test_QTRD3027()
=================================================================
==6774==ERROR: AddressSanitizer: heap-use-after-free on address 0x6150000ee000 at pc 0x7fef37bfaafb bp 0x7fef0892f500 sp 0x7fef0892f4f0
READ of size 8 at 0x6150000ee000 thread T7 (QSGRenderThread)
PASS   : extras::Tests_PieMenu::test_addItem()
    #0 0x7fef37bfaafa in QRhiGles2::enqueueBindFramebuffer(QRhiRenderTarget*, QGles2CommandBuffer*, bool*, bool*) /home/mitch/dev/qt-dev/qtbase/src/gui/rhi/qrhigles2.cpp:3200
    #1 0x7fef37bfb704 in QRhiGles2::beginPass(QRhiCommandBuffer*, QRhiRenderTarget*, QColor const&, QRhiDepthStencilClearValue const&, QRhiResourceUpdateBatch*, QFlags<QRhiCommandBuffer::BeginPassFlag>) /home/mitch/dev/qt-dev/qtbase/src/gui/rhi/qrhigles2.cpp:3286
    #2 0x7fef37b2ea97 in QRhiCommandBuffer::beginPass(QRhiRenderTarget*, QColor const&, QRhiDepthStencilClearValue const&, QRhiResourceUpdateBatch*, QFlags<QRhiCommandBuffer::BeginPassFlag>) /home/mitch/dev/qt-dev/qtbase/src/gui/rhi/qrhi.cpp:5211
    #3 0x7fef2ea45630 in QSGBatchRenderer::Renderer::beginRenderPass(QSGBatchRenderer::Renderer::RenderPassContext*) /home/mitch/dev/qt-dev/qtdeclarative/src/quick/scenegraph/coreapi/qsgbatchrenderer.cpp:3647
    #4 0x7fef2ea411cd in QSGBatchRenderer::Renderer::render() /home/mitch/dev/qt-dev/qtdeclarative/src/quick/scenegraph/coreapi/qsgbatchrenderer.cpp:3382
    #5 0x7fef2ea0a125 in QSGRenderer::renderScene() /home/mitch/dev/qt-dev/qtdeclarative/src/quick/scenegraph/coreapi/qsgrenderer.cpp:175
    #6 0x7fef2ec13d43 in QSGDefaultRenderContext::renderNextRhiFrame(QSGRenderer*) /home/mitch/dev/qt-dev/qtdeclarative/src/quick/scenegraph/qsgdefaultrendercontext.cpp:211
    #7 0x7fef2eaee3c6 in QSGRhiLayer::grab() /home/mitch/dev/qt-dev/qtdeclarative/src/quick/scenegraph/qsgrhilayer.cpp:423
    #8 0x7fef2eae9534 in QSGRhiLayer::updateTexture() /home/mitch/dev/qt-dev/qtdeclarative/src/quick/scenegraph/qsgrhilayer.cpp:107
    #9 0x7fef2eafcbda in QSGRhiShaderEffectNode::preprocess() /home/mitch/dev/qt-dev/qtdeclarative/src/quick/scenegraph/qsgrhishadereffectnode.cpp:771
    #10 0x7fef2ea0b152 in QSGRenderer::preprocess() /home/mitch/dev/qt-dev/qtdeclarative/src/quick/scenegraph/coreapi/qsgrenderer.cpp:269
    #11 0x7fef2ea0a0c2 in QSGRenderer::renderScene() /home/mitch/dev/qt-dev/qtdeclarative/src/quick/scenegraph/coreapi/qsgrenderer.cpp:172
    #12 0x7fef2ec13d43 in QSGDefaultRenderContext::renderNextRhiFrame(QSGRenderer*) /home/mitch/dev/qt-dev/qtdeclarative/src/quick/scenegraph/qsgdefaultrendercontext.cpp:211
    #13 0x7fef2ede170f in QQuickWindowPrivate::renderSceneGraph(QSize const&, QSize const&) /home/mitch/dev/qt-dev/qtdeclarative/src/quick/items/qquickwindow.cpp:706
    #14 0x7fef2ec2f0f8 in QSGRenderThread::syncAndRender(QImage*) /home/mitch/dev/qt-dev/qtdeclarative/src/quick/scenegraph/qsgthreadedrenderloop.cpp:781
    #15 0x7fef2ec31a57 in QSGRenderThread::run() /home/mitch/dev/qt-dev/qtdeclarative/src/quick/scenegraph/qsgthreadedrenderloop.cpp:991
    #16 0x7fef33b22d7a in QThreadPrivate::start(void*) /home/mitch/dev/qt-dev/qtbase/src/corelib/thread/qthread_unix.cpp:329
    #17 0x7fef327106da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #18 0x7fef32e55a3e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x121a3e)

0x6150000ee000 is located 0 bytes inside of 472-byte region [0x6150000ee000,0x6150000ee1d8)
freed by thread T0 here:
    #0 0x7fef3cd629c8 in operator delete(void*, unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe19c8)
    #1 0x7fef37c0b6ae in QGles2TextureRenderTarget::~QGles2TextureRenderTarget() /home/mitch/dev/qt-dev/qtbase/src/gui/rhi/qrhigles2.cpp:4311
    #2 0x7fef2eaea17e in QSGRhiLayer::releaseResources() /home/mitch/dev/qt-dev/qtdeclarative/src/quick/scenegraph/qsgrhilayer.cpp:214
    #3 0x7fef2eae985a in QSGRhiLayer::setItem(QSGNode*) /home/mitch/dev/qt-dev/qtdeclarative/src/quick/scenegraph/qsgrhilayer.cpp:135
    #4 0x7fef2f2b1c88 in QQuickShaderEffectSource::sourceItemParentChanged(QQuickItem*) /home/mitch/dev/qt-dev/qtdeclarative/src/quick/items/qquickshadereffectsource.cpp:370
    #5 0x7fef2f2b55d4 in QQuickShaderEffectSource::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) .moc/moc_qquickshadereffectsource_p.cpp:219
    #6 0x7fef3449e661 in void doActivate<false>(QObject*, int, void**) /home/mitch/dev/qt-dev/qtbase/src/corelib/kernel/qobject.cpp:3832
    #7 0x7fef3448f6ba in QMetaObject::activate(QObject*, QMetaObject const*, int, void**) /home/mitch/dev/qt-dev/qtbase/src/corelib/kernel/qobject.cpp:3880
    #8 0x7fef2ed478d6 in QQuickItem::parentChanged(QQuickItem*) .moc/moc_qquickitem.cpp:1056
    #9 0x7fef2ed11404 in QQuickItem::setParentItem(QQuickItem*) /home/mitch/dev/qt-dev/qtdeclarative/src/quick/items/qquickitem.cpp:2761
    #10 0x7fef2ed0c3fb in QQuickItem::~QQuickItem() /home/mitch/dev/qt-dev/qtdeclarative/src/quick/items/qquickitem.cpp:2329
    #11 0x7fef2f59de8c in QQmlPrivate::QQmlElement<QQuickItem>::~QQmlElement() /home/mitch/dev/qt-dev-debug/qtbase/include/QtQml/../../../../qt-dev/qtdeclarative/src/qml/qml/qqmlprivate.h:133
    #12 0x7fef2f59deb1 in QQmlPrivate::QQmlElement<QQuickItem>::~QQmlElement() /home/mitch/dev/qt-dev-debug/qtbase/include/QtQml/../../../../qt-dev/qtdeclarative/src/qml/qml/qqmlprivate.h:133
    #13 0x7fef34480492 in QObjectPrivate::deleteChildren() /home/mitch/dev/qt-dev/qtbase/src/corelib/kernel/qobject.cpp:2045
    #14 0x7fef3447c7c3 in QObject::~QObject() /home/mitch/dev/qt-dev/qtbase/src/corelib/kernel/qobject.cpp:1071
    #15 0x7fef2ed0cfee in QQuickItem::~QQuickItem() /home/mitch/dev/qt-dev/qtdeclarative/src/quick/items/qquickitem.cpp:2316
    #16 0x7fef2ee6e88d in QQuickImplicitSizeItem::~QQuickImplicitSizeItem() /home/mitch/dev/qt-dev-debug/qtbase/include/QtQuick/6.0.0/QtQuick/private/../../../../../../../qt-dev/qtdeclarative/src/quick/items/qquickimplicitsizeitem_p.h:60
    #17 0x7fef2effb195 in QQuickLoader::~QQuickLoader() /home/mitch/dev/qt-dev/qtdeclarative/src/quick/items/qquickloader.cpp:313
    #18 0x7fef2f59da94 in QQmlPrivate::QQmlElement<QQuickLoader>::~QQmlElement() /home/mitch/dev/qt-dev-debug/qtbase/include/QtQml/../../../../qt-dev/qtdeclarative/src/qml/qml/qqmlprivate.h:133
    #19 0x7fef2f59dab9 in QQmlPrivate::QQmlElement<QQuickLoader>::~QQmlElement() /home/mitch/dev/qt-dev-debug/qtbase/include/QtQml/../../../../qt-dev/qtdeclarative/src/qml/qml/qqmlprivate.h:133
    #20 0x7fef34480492 in QObjectPrivate::deleteChildren() /home/mitch/dev/qt-dev/qtbase/src/corelib/kernel/qobject.cpp:2045
    #21 0x7fef3447c7c3 in QObject::~QObject() /home/mitch/dev/qt-dev/qtbase/src/corelib/kernel/qobject.cpp:1071
    #22 0x7fef2ed0cfee in QQuickItem::~QQuickItem() /home/mitch/dev/qt-dev/qtdeclarative/src/quick/items/qquickitem.cpp:2316
    #23 0x7fef2f59de8c in QQmlPrivate::QQmlElement<QQuickItem>::~QQmlElement() /home/mitch/dev/qt-dev-debug/qtbase/include/QtQml/../../../../qt-dev/qtdeclarative/src/qml/qml/qqmlprivate.h:133
    #24 0x7fef2f59deb1 in QQmlPrivate::QQmlElement<QQuickItem>::~QQmlElement() /home/mitch/dev/qt-dev-debug/qtbase/include/QtQml/../../../../qt-dev/qtdeclarative/src/qml/qml/qqmlprivate.h:133
    #25 0x7fef34480492 in QObjectPrivate::deleteChildren() /home/mitch/dev/qt-dev/qtbase/src/corelib/kernel/qobject.cpp:2045
    #26 0x7fef3447c7c3 in QObject::~QObject() /home/mitch/dev/qt-dev/qtbase/src/corelib/kernel/qobject.cpp:1071
    #27 0x7fef2ed0cfee in QQuickItem::~QQuickItem() /home/mitch/dev/qt-dev/qtdeclarative/src/quick/items/qquickitem.cpp:2316
    #28 0x7fef2f59de8c in QQmlPrivate::QQmlElement<QQuickItem>::~QQmlElement() /home/mitch/dev/qt-dev-debug/qtbase/include/QtQml/../../../../qt-dev/qtdeclarative/src/qml/qml/qqmlprivate.h:133
    #29 0x7fef2f59deb1 in QQmlPrivate::QQmlElement<QQuickItem>::~QQmlElement() /home/mitch/dev/qt-dev-debug/qtbase/include/QtQml/../../../../qt-dev/qtdeclarative/src/qml/qml/qqmlprivate.h:133

previously allocated by thread T7 (QSGRenderThread) here:
    #0 0x7fef3cd61448 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe0448)
    #1 0x7fef37be12d0 in QRhiGles2::createTextureRenderTarget(QRhiTextureRenderTargetDescription const&, QFlags<QRhiTextureRenderTarget::Flag>) /home/mitch/dev/qt-dev/qtbase/src/gui/rhi/qrhigles2.cpp:1045
    #2 0x7fef37b30af7 in QRhi::newTextureRenderTarget(QRhiTextureRenderTargetDescription const&, QFlags<QRhiTextureRenderTarget::Flag>) /home/mitch/dev/qt-dev/qtbase/src/gui/rhi/qrhi.cpp:6054
    #3 0x7fef2eaec86b in QSGRhiLayer::grab() /home/mitch/dev/qt-dev/qtdeclarative/src/quick/scenegraph/qsgrhilayer.cpp:347
    #4 0x7fef2eae9534 in QSGRhiLayer::updateTexture() /home/mitch/dev/qt-dev/qtdeclarative/src/quick/scenegraph/qsgrhilayer.cpp:107
    #5 0x7fef2eafcbda in QSGRhiShaderEffectNode::preprocess() /home/mitch/dev/qt-dev/qtdeclarative/src/quick/scenegraph/qsgrhishadereffectnode.cpp:771
    #6 0x7fef2ea0b152 in QSGRenderer::preprocess() /home/mitch/dev/qt-dev/qtdeclarative/src/quick/scenegraph/coreapi/qsgrenderer.cpp:269
    #7 0x7fef2ea0a0c2 in QSGRenderer::renderScene() /home/mitch/dev/qt-dev/qtdeclarative/src/quick/scenegraph/coreapi/qsgrenderer.cpp:172
    #8 0x7fef2ec13d43 in QSGDefaultRenderContext::renderNextRhiFrame(QSGRenderer*) /home/mitch/dev/qt-dev/qtdeclarative/src/quick/scenegraph/qsgdefaultrendercontext.cpp:211
    #9 0x7fef2ede170f in QQuickWindowPrivate::renderSceneGraph(QSize const&, QSize const&) /home/mitch/dev/qt-dev/qtdeclarative/src/quick/items/qquickwindow.cpp:706
    #10 0x7fef2ec2f0f8 in QSGRenderThread::syncAndRender(QImage*) /home/mitch/dev/qt-dev/qtdeclarative/src/quick/scenegraph/qsgthreadedrenderloop.cpp:781
    #11 0x7fef2ec31a57 in QSGRenderThread::run() /home/mitch/dev/qt-dev/qtdeclarative/src/quick/scenegraph/qsgthreadedrenderloop.cpp:991
    #12 0x7fef33b22d7a in QThreadPrivate::start(void*) /home/mitch/dev/qt-dev/qtbase/src/corelib/thread/qthread_unix.cpp:329
    #13 0x7fef327106da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)

Thread T7 (QSGRenderThread) created by T0 here:
    #0 0x7fef3ccb8d2f in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
    #1 0x7fef33b245f9 in QThread::start(QThread::Priority) /home/mitch/dev/qt-dev/qtbase/src/corelib/thread/qthread_unix.cpp:714
    #2 0x7fef2ec3623e in QSGThreadedRenderLoop::handleExposure(QQuickWindow*) /home/mitch/dev/qt-dev/qtdeclarative/src/quick/scenegraph/qsgthreadedrenderloop.cpp:1323
    #3 0x7fef2ec34d46 in QSGThreadedRenderLoop::exposureChanged(QQuickWindow*) /home/mitch/dev/qt-dev/qtdeclarative/src/quick/scenegraph/qsgthreadedrenderloop.cpp:1251
    #4 0x7fef2eddd78c in QQuickWindow::exposeEvent(QExposeEvent*) /home/mitch/dev/qt-dev/qtdeclarative/src/quick/items/qquickwindow.cpp:244
    #5 0x7fef36a30385 in QWindow::event(QEvent*) /home/mitch/dev/qt-dev/qtbase/src/gui/kernel/qwindow.cpp:2438
    #6 0x7fef2eded09c in QQuickWindow::event(QEvent*) /home/mitch/dev/qt-dev/qtdeclarative/src/quick/items/qquickwindow.cpp:2000
    #7 0x7fef34356507 in QCoreApplicationPrivate::notify_helper(QObject*, QEvent*) /home/mitch/dev/qt-dev/qtbase/src/corelib/kernel/qcoreapplication.cpp:1200
    #8 0x7fef34355c92 in doNotify /home/mitch/dev/qt-dev/qtbase/src/corelib/kernel/qcoreapplication.cpp:1129
    #9 0x7fef34355b69 in QCoreApplication::notify(QObject*, QEvent*) /home/mitch/dev/qt-dev/qtbase/src/corelib/kernel/qcoreapplication.cpp:1115
    #10 0x7fef369bc6f0 in QGuiApplication::notify(QObject*, QEvent*) /home/mitch/dev/qt-dev/qtbase/src/gui/kernel/qguiapplication.cpp:1944
    #11 0x7fef34355991 in QCoreApplication::notifyInternal2(QObject*, QEvent*) /home/mitch/dev/qt-dev/qtbase/src/corelib/kernel/qcoreapplication.cpp:1039
    #12 0x7fef34357080 in QCoreApplication::sendSpontaneousEvent(QObject*, QEvent*) /home/mitch/dev/qt-dev/qtbase/src/corelib/kernel/qcoreapplication.cpp:1446
    #13 0x7fef369c9f13 in QGuiApplicationPrivate::processExposeEvent(QWindowSystemInterfacePrivate::ExposeEvent*) /home/mitch/dev/qt-dev/qtbase/src/gui/kernel/qguiapplication.cpp:3192
    #14 0x7fef369bd6a1 in QGuiApplicationPrivate::processWindowSystemEvent(QWindowSystemInterfacePrivate::WindowSystemEvent*) /home/mitch/dev/qt-dev/qtbase/src/gui/kernel/qguiapplication.cpp:2085
    #15 0x7fef3691e251 in QWindowSystemInterface::sendWindowSystemEvents(QFlags<QEventLoop::ProcessEventsFlag>) /home/mitch/dev/qt-dev/qtbase/src/gui/kernel/qwindowsysteminterface.cpp:1129
    #16 0x7fef1d5cdba9 in xcbSourceDispatch /home/mitch/dev/qt-dev/qtbase/src/plugins/platforms/xcb/qxcbeventdispatcher.cpp:93
    #17 0x7fef27815416 in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4c416)

SUMMARY: AddressSanitizer: heap-use-after-free /home/mitch/dev/qt-dev/qtbase/src/gui/rhi/qrhigles2.cpp:3200 in QRhiGles2::enqueueBindFramebuffer(QRhiRenderTarget*, QGles2CommandBuffer*, bool*, bool*)
Shadow bytes around the buggy address:
  0x0c2a80015bb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a80015bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a80015bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a80015be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a80015bf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c2a80015c00:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a80015c10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a80015c20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a80015c30: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c2a80015c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a80015c50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==6774==ABORTING
12:20:16: /home/mitch/dev/qt-dev-debug/qtquickcontrols/tests/auto/extras/tst_extras exited with code 1

      Attachments

        For Gerrit Dashboard: QTBUG-87754
        # Subject Branch Project Status CR V
        318870,1 Blacklist failing tests in Qt 6 dev qt/qtquickcontrols Status: ABANDONED -1 0

        Activity

          People

            lagocs Laszlo Agocs
            mitch_curtis Mitch Curtis
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes